Most cyber insurance products today cover cyber liability risk arising from privacy data breach losses. But cyber related losses can also include property damage and bodily injury, and insurance for these types of losses on critical infrastructure is not always available. Catherine Rudow, Vice President at PartnerRe, explains some of the factors standing in the way of availability, and how the re/insurance industry is working with the U.S. government to find solutions.
This summer, the U.S. Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) published an industry report examining some of the factors holding back the provision of insurance coverage for cyber-related critical infrastructure losses. Examples of critical infrastructure include utilities, pipelines, communications and water supply. The report was the result of a working session between the NPPD and 30 insurers, reinsurers and brokers earlier this year, in which I participated on behalf of PartnerRe.
This working session was the fourth in the series, and the goal of this session was to discuss some of the obstacles to providing property coverage for cyber related losses. Essentially the challenges for the re/insurance industry to provide coverage are three-fold:
Lack of loss data – This is a significant issue due to the reluctance of entities to publicly share data about cyber incidents and related losses for fear of the regulatory or reputational consequences. As a result, there is a lack of broadly accessible cyber risk loss data.
Cyber incident consequence analysis – Without sufficient data, it is difficult to estimate, or model, the effects of a cyber risk attack, and therefore difficult to determine appropriate coverage and pricing. Another obstacle to modeling cyber risk is that it is difficult to assign probabilities to events, as is the case with weather.
Enterprise risk management (ERM) – There is a difference between large entities with robust enterprise risk management programs in place, and mid-size to small entities that do not have these capabilities. Many of these entities are in the same supply chains and are often linked, and a cyber event in one entity can immediately impact others down the chain. Another obstacle is that even those entities that do have ERM programs in place may not consider cyber to be a systemic risk for their organizations.
During the lively discussions, a number of possible solutions were proposed:
To address lack of loss data, participants strongly supported the creation of a cyber incident database where private and public sector organizations and the Federal government would submit cyber incident information anonymously.
The availability of such data would allow re/insurers to potentially model losses. Also, having access to such data would likely incentivize a wider range of organizations to contribute their own loss data as this would allow companies to better benchmark their own risk management performance against that of their peers.
To address the problems with cyber incident consequence analysis, or modeling, the industry would need to be aware of the systemic risk of “interconnectedness”. In terms of analytics, participants urged the Federal government to provide any information they had on critical infrastructure dependencies and vulnerabilities. This would help the industry to model scenarios as well as to identify underwriting questions about their cyber risk exposures and steps taken to address them. Unfortunately, it was recognized that the very same information needed to model could be used to exploit the weaknesses. This was the toughest topic to discuss, and one that had the least amount of consensus.
Finally, to encourage small and mid-sized insureds to include cyber risk as part of an overall corporate risk management program, the group looked at ways to promote the development of ERM and by extension, the case for cyber security insurance. This included the adoption by regulators of ERM as a standard cyber risk management practice as well as a scaled-down “ERM-lite” version that would be cheaper and easier for small and mid-sized entities to implement.
The Federal government’s focus on this growing risk is expected to drive demand for insurance products over the next ten years. If these or similar solutions can be put in place, then the re/insurance industry will have played an important role in shaping the cyber insurance landscape and providing much-needed cover for the growing demand for protection against cyber incidents.
The full report can be found at http://www.dhs.gov/publication/cybersecurity-insurance.